Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	780218
MD5:	6822f46b691d856777852b1342f294e1
SHA1:	b4d772d60fc363234da23b6fa02175ff89561193
SHA256:	912a8d4711001972a4d2234a5b34998afb3feebc9e1a76e4a36257c4980e4e5f
Tags:	exe
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 43%

Antivirus detection for URL or domain

Source: http://host-host-file8.com/

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: host-file-host6.com	Virustotal: Detection: 17%			Perma Link
Source: host-host-file8.com	Virustotal: Detection: 17%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iihhevv

ReversingLabs: Detection: 43%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iihhevv

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.0.file.exe.400000.2.unpack	Avira: Label: TR/Patched.Gen
Source: 13.0.iihhevv.400000.2.unpack	Avira: Label: TR/Patched.Gen
Source: 1.0.file.exe.400000.3.unpack	Avira: Label: TR/Patched.Gen
Source: 13.0.iihhevv.400000.1.unpack	Avira: Label: TR/Patched.Gen
Source: 1.0.file.exe.400000.1.unpack	Avira: Label: TR/Patched.Gen
Source: 13.0.iihhevv.400000.0.unpack	Avira: Label: TR/Patched.Gen
Source: 1.0.file.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen
Source: 13.0.iihhevv.400000.3.unpack	Avira: Label: TR/Patched.Gen

Source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: VC:\jixehetumah75\yes36-nifagisukesuce51-hiriy\husa.pdb source: file.exe, iihhevv.3.dr
Source:	Binary string: C:\jixehetumah75\yes36-nifagisukesuce51-hiriy\husa.pdb source: file.exe, iihhevv.3.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.6:49701 -> 185.246.221.154:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.246.221.154 185.246.221.154

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wavjaq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: host-file-host6.com

Source: explorer.exe, 00000003.00000000.375571444.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.335063212.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.291326238.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.312089796.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349980053.000000000F5B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.318245571.000000000F5B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.356672976.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2c415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iihhevv.2d215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.iihhevv.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.453836489.00000000006B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379061898.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379122048.00000000022F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.360700242.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: iihhevv, 0000000C.00000002.440038517.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.453836489.00000000006B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.272820167.0000000002CB9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.440117627.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.379061898.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000002.379122048.00000000022F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000003.00000000.360700242.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0000000D.00000002.453836489.00000000006B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.272820167.0000000002CB9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.440117627.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.379061898.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000002.379122048.00000000022F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000003.00000000.360700242.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040180C Sleep,NtTerminateProcess,	1_2_0040180C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401818 Sleep,NtTerminateProcess,	1_2_00401818
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401822 Sleep,NtTerminateProcess,	1_2_00401822
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401826 Sleep,NtTerminateProcess,	1_2_00401826
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401834 Sleep,NtTerminateProcess,	1_2_00401834
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_0040180C Sleep,NtTerminateProcess,	13_2_0040180C
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_00401818 Sleep,NtTerminateProcess,	13_2_00401818
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_00401822 Sleep,NtTerminateProcess,	13_2_00401822
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_00401826 Sleep,NtTerminateProcess,	13_2_00401826
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_00401834 Sleep,NtTerminateProcess,	13_2_00401834

Tries to load missing DLLs

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

ReversingLabs: Detection: 43%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\iihhevv C:\Users\user\AppData\Roaming\iihhevv
Source: C:\Users\user\AppData\Roaming\iihhevv	Process created: C:\Users\user\AppData\Roaming\iihhevv C:\Users\user\AppData\Roaming\iihhevv
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Process created: C:\Users\user\AppData\Roaming\iihhevv C:\Users\user\AppData\Roaming\iihhevv	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\iihhevv

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/2@4/2

Source: C:\Users\user\AppData\Roaming\iihhevv

Code function: 12_2_02DAD349 CreateToolhelp32Snapshot,Module32First,

12_2_02DAD349

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: VC:\jixehetumah75\yes36-nifagisukesuce51-hiriy\husa.pdb source: file.exe, iihhevv.3.dr
Source:	Binary string: C:\jixehetumah75\yes36-nifagisukesuce51-hiriy\husa.pdb source: file.exe, iihhevv.3.dr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011D0 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011D7 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011EB push ebx; iretd	1_2_00401217
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 12_2_02DB30E8 pushad ; iretd	12_2_02DB30EE
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 12_2_02DAE25C push ebx; iretd	12_2_02DAE287
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 12_2_02DAE247 push ebx; iretd	12_2_02DAE287
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_004011D0 push ebx; iretd	13_2_00401217
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_004011D7 push ebx; iretd	13_2_00401217
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_004011EB push ebx; iretd	13_2_00401217

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\iihhevv

Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\iihhevv

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\iihhevv:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: iihhevv, 0000000D.00000002.453932968.00000000006DB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5496	Thread sleep count: 662 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5476	Thread sleep count: 295 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5484	Thread sleep count: 307 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5484	Thread sleep time: -30700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2980	Thread sleep count: 486 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 662			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 486			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000003.00000000.336772992.00000000045B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.310501814.00000000081DD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000003.00000000.363530032.0000000006710000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000003.00000000.344790577.0000000008304000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.344698254.00000000082B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000000.310942909.0000000008269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	System information queried: CodeIntegrityInformation			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\iihhevv

Code function: 12_2_02DACC26 push dword ptr fs:[00000030h]

12_2_02DACC26

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: iihhevv.3.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 4E61930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Thread created: unknown EIP: 4A41930			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Process created: C:\Users\user\AppData\Roaming\iihhevv C:\Users\user\AppData\Roaming\iihhevv			Jump to behavior

Source: explorer.exe, 00000003.00000000.357266621.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.335391872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.293910023.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: explorer.exe, 00000003.00000000.304764006.0000000005D90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.357266621.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.374808503.000000000835D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.335063212.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.291326238.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.357266621.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.357266621.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.335391872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.293910023.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040C0C7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040C0C7

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2c415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iihhevv.2d215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.iihhevv.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.453836489.00000000006B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379061898.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379122048.00000000022F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.360700242.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2c415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iihhevv.2d215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.iihhevv.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.453836489.00000000006B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379061898.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379122048.00000000022F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.360700242.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.246.221.154	host-file-host6.com	Germany		10753	LVLT-10753US	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
host-file-host6.com	185.246.221.154	true
host-host-file8.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://host-file-host6.com/	true	URL Reputation: safe	unknown
http://host-host-file8.com/	true	URL Reputation: malware	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 43%

Antivirus detection for URL or domain

Source: http://host-host-file8.com/

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: host-file-host6.com	Virustotal: Detection: 17%			Perma Link
Source: host-host-file8.com	Virustotal: Detection: 17%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iihhevv

ReversingLabs: Detection: 43%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iihhevv

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.0.file.exe.400000.2.unpack	Avira: Label: TR/Patched.Gen
Source: 13.0.iihhevv.400000.2.unpack	Avira: Label: TR/Patched.Gen
Source: 1.0.file.exe.400000.3.unpack	Avira: Label: TR/Patched.Gen
Source: 13.0.iihhevv.400000.1.unpack	Avira: Label: TR/Patched.Gen
Source: 1.0.file.exe.400000.1.unpack	Avira: Label: TR/Patched.Gen
Source: 13.0.iihhevv.400000.0.unpack	Avira: Label: TR/Patched.Gen
Source: 1.0.file.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen
Source: 13.0.iihhevv.400000.3.unpack	Avira: Label: TR/Patched.Gen

Source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: VC:\jixehetumah75\yes36-nifagisukesuce51-hiriy\husa.pdb source: file.exe, iihhevv.3.dr
Source:	Binary string: C:\jixehetumah75\yes36-nifagisukesuce51-hiriy\husa.pdb source: file.exe, iihhevv.3.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.6:49701 -> 185.246.221.154:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.246.221.154 185.246.221.154

Uses a known web browser user agent for HTTP communication

Source: global traffic

String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2c415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iihhevv.2d215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.iihhevv.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.453836489.00000000006B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379061898.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379122048.00000000022F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.360700242.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: iihhevv, 0000000C.00000002.440038517.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.453836489.00000000006B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.272820167.0000000002CB9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.440117627.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.379061898.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000002.379122048.00000000022F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000003.00000000.360700242.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0000000D.00000002.453836489.00000000006B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.272820167.0000000002CB9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.440117627.0000000002DA9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.379061898.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000002.379122048.00000000022F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000003.00000000.360700242.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040180C Sleep,NtTerminateProcess,	1_2_0040180C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401818 Sleep,NtTerminateProcess,	1_2_00401818
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401822 Sleep,NtTerminateProcess,	1_2_00401822
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401826 Sleep,NtTerminateProcess,	1_2_00401826
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401834 Sleep,NtTerminateProcess,	1_2_00401834
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_0040180C Sleep,NtTerminateProcess,	13_2_0040180C
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_00401818 Sleep,NtTerminateProcess,	13_2_00401818
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_00401822 Sleep,NtTerminateProcess,	13_2_00401822
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_00401826 Sleep,NtTerminateProcess,	13_2_00401826
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_00401834 Sleep,NtTerminateProcess,	13_2_00401834

Tries to load missing DLLs

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

ReversingLabs: Detection: 43%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\iihhevv C:\Users\user\AppData\Roaming\iihhevv
Source: C:\Users\user\AppData\Roaming\iihhevv	Process created: C:\Users\user\AppData\Roaming\iihhevv C:\Users\user\AppData\Roaming\iihhevv
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Process created: C:\Users\user\AppData\Roaming\iihhevv C:\Users\user\AppData\Roaming\iihhevv	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\iihhevv

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/2@4/2

Source: C:\Users\user\AppData\Roaming\iihhevv

Code function: 12_2_02DAD349 CreateToolhelp32Snapshot,Module32First,

12_2_02DAD349

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: VC:\jixehetumah75\yes36-nifagisukesuce51-hiriy\husa.pdb source: file.exe, iihhevv.3.dr
Source:	Binary string: C:\jixehetumah75\yes36-nifagisukesuce51-hiriy\husa.pdb source: file.exe, iihhevv.3.dr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011D0 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011D7 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011EB push ebx; iretd	1_2_00401217
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 12_2_02DB30E8 pushad ; iretd	12_2_02DB30EE
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 12_2_02DAE25C push ebx; iretd	12_2_02DAE287
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 12_2_02DAE247 push ebx; iretd	12_2_02DAE287
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_004011D0 push ebx; iretd	13_2_00401217
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_004011D7 push ebx; iretd	13_2_00401217
Source: C:\Users\user\AppData\Roaming\iihhevv	Code function: 13_2_004011EB push ebx; iretd	13_2_00401217

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\iihhevv

Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\iihhevv

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\iihhevv:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: iihhevv, 0000000D.00000002.453932968.00000000006DB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5496	Thread sleep count: 662 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5476	Thread sleep count: 295 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5484	Thread sleep count: 307 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5484	Thread sleep time: -30700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2980	Thread sleep count: 486 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 662			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 486			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000003.00000000.336772992.00000000045B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.310501814.00000000081DD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000003.00000000.363530032.0000000006710000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000003.00000000.344790577.0000000008304000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.344698254.00000000082B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000000.310942909.0000000008269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	System information queried: CodeIntegrityInformation			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\iihhevv

Code function: 12_2_02DACC26 push dword ptr fs:[00000030h]

12_2_02DACC26

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: iihhevv.3.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 4E61930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Thread created: unknown EIP: 4A41930			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iihhevv	Process created: C:\Users\user\AppData\Roaming\iihhevv C:\Users\user\AppData\Roaming\iihhevv			Jump to behavior

Source: explorer.exe, 00000003.00000000.357266621.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.335391872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.293910023.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: explorer.exe, 00000003.00000000.304764006.0000000005D90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.357266621.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.374808503.000000000835D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.335063212.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.291326238.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.357266621.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.357266621.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.335391872.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.293910023.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040C0C7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040C0C7

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2c415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iihhevv.2d215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.iihhevv.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.453836489.00000000006B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379061898.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379122048.00000000022F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.360700242.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2c415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iihhevv.2d215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.iihhevv.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.file.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.iihhevv.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.453836489.00000000006B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.453756487.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379061898.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.379122048.00000000022F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.360700242.0000000004E61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

ID:	780218
Product:	CloudBasic
Start time:	16:14:20
Start date:	08.01.2023
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6822f46b691d856777852b1342f294e1
SHA1:	b4d772d60fc363234da23b6fa02175ff89561193
SHA256:	912a8d4711001972a4d2234a5b34998afb3feebc9e1a76e4a36257c4980e4e5f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\iihhevv	PE32 executable (GUI) Intel 80386, for MS Windows	6822F46B691D856777852B1342F294E1	B4D772D60FC363234DA23B6FA02175FF89561193	912A8D4711001972A4D2234A5B34998AFB3FEEBC9E1A76E4A36257C4980E4E5F
C:\Users\user\AppData\Roaming\iihhevv:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe